CMMC Compliance and Certification Requirements

This article covers the CMMC compliance and certification requirements for assessing the cybersecurity maturity level of affected companies which provide services to the US government. CMMC (Cybersecurity Maturity Model Certification) is a process created by the Department of Defense (DoD) in 2018 based on the NIST Cybersecurity Framework. It is designed to provide a common language for organizations to describe their current cybersecurity posture and identify opportunities for improvement. The CMMC process is also the foundation for managing cybersecurity risk in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA), not to be confused with the Federal Information Security Management Act of 2002 (FISMA).

The Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) provides a common language for organizations to describe their current cybersecurity posture better and identify opportunities for improvement. The framework is also the foundation for managing cybersecurity risk in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA).

CMMC Purpose

The DoD created CMMC in response to increased concern over the cyber vulnerabilities of Defense Industrial Base (DIB) companies. The DIB is a critical part of the U.S. economy and supply chain, as it provides products and services to the DoD that are essential to national security. The DoD is concerned that the cyber vulnerabilities of DIB companies could have a negative impact on the defense and national security of the United States.

CMMC and FedRAMP Certification

While FedRAMP (The Federal Risk and Authorization Management Program) offers a standardized government-wide approach for assessing security assessment, and continuous monitoring for cloud based services overseen by Joint Authorization Board (JAB), CMMC offers a process for assessing cybersecurity maturity that can be used by any organization that provides services to the US DoD, regardless of whether or not they are using the cloud.

CMMC Rollout Schedule

The DoD released version 1.0 of the CMMC process on October 11, 2018 because NIST 800-171 which had been required since January 2018 was receiving low rating. Federal agencies are required to use CMMC when assessing the cybersecurity risk of contractors and subcontractors, starting with contracts awarded on or after January 1, 2020. CMMC 2.0 builds upon the initial CMMC cybersecurity framework to enhance DIB security against evolving threats.  More on CMMC 2.0 update here. Upon CMMC 2.0 implementation, required CMMC level for contractors as well as sub-contractors will be specified in the solicitations and in Requests for Information. Click here for details.

The DoD will release updated versions of the CMMC framework through 2023. Future planned updates include:

1) Expansion of assessment guidance beyond contractor and subcontractor assessments;
2) Updates to existing requirements;
3) Addition of new requirements based on cybersecurity maturity improvement areas, as well as feedback from industry, agencies, and other stakeholders; and
4) Continued alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Who Must Comply with CMMC?

Organizations that contract with the Department of Defense (DoD) are required to be compliant with CMMC. The DoD has stated that it will certify only those organizations that can demonstrate a “sufficient” level of cybersecurity maturity. It is unclear what criteria the DoD will use to determine whether or not an organization has a “sufficient” level of cybersecurity maturity. However, the DoD has stated that it plans to release additional information about CMMC compliance soon.

How Can Companies Become CMMC Compliant?

The DoD has not released a list of approved security assessment providers or methodologies for CMMC compliance. However, companies should expect to use the same processes and procedures used for other NIST-based cybersecurity frameworks such as Cybersecurity Framework (CSF) and Risk Management Framework (RMF).

Companies can prepare for CMMC certification by performing a self-assessment against the security objectives. Additionally, companies should ensure that their cybersecurity policies and procedures are in line with CMMC requirements and that they have the necessary tools and personnel to support continuous monitoring and incident response.

High Level CMMC Compliance and Certification Requirements

The following are the high-level steps that organizations should take to meet the CMMC compliance and certification requirements:

1) Understand the CMMC requirements;

2) Perform a self-assessment against the security objectives;

3) Develop policies and procedures that are in line with CMMC requirements;

4) Implement the necessary tools and personnel to support continuous monitoring and incident response;

5) Develop a cybersecurity maturity model that includes all of the necessary controls, procedures, and policies needed to demonstrate compliance with CMMC requirements;

6) Use the developed cybersecurity maturity model during risk assessments for contracts that are expected to be used by or produced for the DoD; and

7) Request approval from an authorized representative of the DoD to perform contractor or subcontractor risk assessments.

Protecting Unclassified Information (NIST 800-171)

The CMMC process references NIST 800-53, which government agencies use to assess the cybersecurity risk of contractors and subcontractors. The updates made in 2018 reference controls included in CMMC NIST 800-171 will help ensure that all organizations using CMMC are also compliant with NIST 800-171.

NIST 800-53 can be used in conjunction with CMMC to meet these requirements, but organizations may also use other standards such as ISO 27001 or the ISM.

The Certified in Data Protection (CDP)® professional training is designed based on NIST and ISO security standards to uniformly protect systems and data, and includes generally accepted privacy principles when personal data is involved. Learn more about CDP certification.

CMMC Compliance and Certification Requirements Levels

The CMMC compliance levels are listed below:

Level 1 – Foundational

This level is designed for organizations that have a limited understanding of cybersecurity and do not have a formal cybersecurity program in place.To achieve this level, organizations must meet the following requirements:

a) Implement risk management processes and procedures;

b) Establish and implement security objectives;

c) Protect information systems and data;

d) Detect, prevent, and respond to security incidents;
and

e) Monitor the effectiveness of implemented countermeasures.

Level 2 – Advanced

This level is designed for organizations that have a more mature cybersecurity program and have implemented some of the controls listed in NIST 800-53. To achieve this level, organizations must meet the following requirements:

a) Implement risk management processes and procedures;
b) Establish and implement security objectives;

c) Protect information systems and data;

d) Detect, prevent, and respond to security incidents;

e) Monitor the effectiveness of implemented countermeasures;
and

f) Implement some controls from NIST 800-53.

Level 3 – Expert

This level is designed for organizations that have a comprehensive cybersecurity program and have implemented all of the controls listed in NIST 800-53. To achieve this level, organizations must meet the following requirements:

a) Implement risk management processes and procedures;

b) Establish and implement security objectives;

c) Protect information systems and data;

d) Detect, prevent, and respond to security incidents;

e) Monitor the effectiveness of implemented countermeasures;

f) Implement all controls from NIST 800-53;
and

g) Conduct periodic assessments to ensure that the implemented cybersecurity maturity model is adequate.

Which CMMC Level Companies Must Pursue?

Level 1 is suitable for organizations that do not have a formal cybersecurity program or any controls implemented. This level can be achieved by using CMMC in conjunction with other standards such as ISO 27001 or the ISM or using a NIST 800-53 based assessment.

Level 2 is suitable for organizations with a more mature cybersecurity program that understand their weaknesses and have developed some controls to help mitigate risk.

Level 3 is suitable for organizations with a formal cybersecurity program and all controls implemented. This level should only be pursued if all of the requirements from Levels 1 and 2 have been met.

CMMC certification process can help organizations prove their commitment to cybersecurity and improve their overall security posture.

CMMC Compliance Oversight

The Defense Authorization Act of 2013 required that DoD establish a track for cybersecurity certification and accreditation to ensure the security and resiliency of DoD systems. The Defense Information Systems Agency (DISA) oversees CMMC compliance, maintains the Cybersecurity Capability Maturity Model, and accredits certifiers/auditors.

To ensure that DoD vendors are CMMC compliant, DISA has developed a process for vendors to submit their products and services for assessment. This process includes submitting documentation and undergoing an on-site evaluation. Vendors who complete this process successfully are then listed on the CMMC Product and Services List.

DoD offers any organization the opportunity to become a CMMC accredited certifier. The accreditation body is independent of DoD and is responsible for assessing the competence of certifiers. Certifiers must meet specific requirements to be accredited, including holding an existing certification in a relevant area and having at least five years of relevant experience.

Who Can Be An Accredited Certifier?

Accreditation is voluntary, and there are several accreditation bodies that the DoD has approved. Accredited certifiers must meet specific requirements to be accredited, including holding an existing certification in a relevant area and having at least five years of relevant experience.

The CMMC accreditation process and body is independent of DoD and is responsible for assessing the competence of certifiers. Certifiers must meet specific requirements to be accredited, including holding an existing certification in a relevant area and having at least five years of relevant experience.

CMMC Accreditation Process

An organization must meet specific criteria to be accredited. The accreditation body is independent of DoD and is responsible for assessing the competence of certifiers. Certifiers must meet particular requirements to be accredited, including holding an existing certification in a relevant area and having at least five years of relevant experience.

The accreditation process can be lengthy, and the government does not guarantee that all organizations who apply will be accredited. However, the method provides a framework for ensuring that products and services meet the required cybersecurity standards.

Fake Accredited Certification Vendors

The government has put in place a process for vendors to submit their products and services for assessment to ensure that they meet the required CMMC standards. To become accredited, certifiers must submit a detailed CMMC plan that includes information about the management team, relevant products and services offered, how products and services will be assessed, the organization’s processes, procedures for signing off assessments, appropriate documentation, and training plans.

After submitting the plan, the certifier must undergo an on-site assessment. The accreditation body is independent of DoD and is responsible for assessing the competence of certifiers. Certifiers must meet specific requirements to be accredited, including holding an existing certification in a relevant area and having at least five years of relevant experience.

The government continues to monitor the market to detect fake certification vendors and has already sent cease and desist letters to some vendors.  

CMMC Accredited Vendors List

There is a list of accredited certifiers on the accreditation body’s website. The process provides a framework for ensuring that products and services meet the required cybersecurity standards. However, the government does not guarantee that all organizations who apply will be accredited.

CMMC Compliance and Certification Requirements Checklist

While there is no one-size-fits-all checklist for becoming CMMC compliant, companies can take several steps to ensure they follow best practices.

First, companies should establish a governance board with authority to make decisions about cybersecurity policy across the organization. The Governance Board should include senior management and individuals with expertise in cybersecurity, risk management, and compliance.

Second, companies should develop and implement a company-wide cybersecurity program that complies with CMMC standards. The plan should lay out multiple layers of defense, including safeguards at the hardware and software level, policies and procedures for data handling and transmission, and employee training.

Third, companies should regularly test their cybersecurity measures to ensure that they are effective in preventing breaches.

Fourth, companies should maintain detailed documentation of their cybersecurity program and processes and employee training records.

Finally, companies should ensure that their vendor management policies are in line with CMMC requirements.

The Role of “Identity and Access Management” in CMMC Compliance

Identity and Access Management (IAM) is a critical control in CMMC and is used to protect information systems and data. IAM helps ensure that only authorized users can access sensitive information, which can help reduce the risk of a data breach. Organizations must implement an IAM program that addresses authentication, authorization, and accounting to achieve certification at any level.

IAM is also a crucial part of NIST 800-53, which is the control framework used to assess the cybersecurity maturity of an organization. NIST 800-53 requires organizations to implement identity and access management controls such as authentication, authorization, and accounting. Implementing these controls can help organizations meet the requirements for certification at all levels.

Conclusion

In summary, government audits are necessary in improving cybersecurity throughout the economy. The Cybersecurity Maturity Model Certification program is an integral part of this effort. However, the program is not without its limitations. Companies that want to meet CMMC compliance and certification requirements should engage in comprehensive self-assessment before beginning the certification process. Additional information can be found here.